Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


Tip of the Day
Language: Java
Expertise: Intermediate
May 12, 2009

XML Signature Core Validation Failure with Java and Apache Axis

Many people are using XML Digital signatures these days. Most of these are using the standard code snippet available on the web to apply digital signatures.

When tried independently, the snippet works fine, and core validation happens successfully. However, when integrated with Apache Axis, core validation fails.

The core validation failure may result from either signature validation failure or from validation failure of any of the references present.

A signature value validation failure implies that the signature tag added after applying digital signature has been altered.

A reference failure occurs when there has been some change in the signed data since the digest value for the data was generated.

A possible reason for these alterations could be the namespace declarations that XML parsers add automatically. For example, assume you use the code snippet as shown below:

NodeList nodelist = doc.getElementsByTagNameNS(
   "<yourxmlnamespace>", <tagname>);
Node nn = nodelist.item(0);

DOMSignContext dsc = new DOMSignContext(
   objKeys.getPrivate(), nn);

//where objKeys is KeyPair
XMLSignature signature = fac.newXMLSignature(si, ki); 

//where ki is key info an si is signed info
// Marshal, generate (and sign) the enveloped signature
signature.sign(dsc);

The generated XML will look like this:

<Signature xmlns=
  "http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm=
      "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="">
    <Transforms>
    ...

However, if you then attempt to generate a SOAPBodyElement using Apache Axis, then the Signature and its child elements—which ideally should have used a default namespace—define a new name space. The new namespace tag gets embedded into the element as follows:

<Signature xmlns=
  "http://www.w3.org/2000/09/xmldsig#" 
  xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
  <ns1:SignedInfo>
    <ns1:CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <ns1:SignatureMethod Algorithm=
      "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ns1:Reference URI="">
    <ns1:Transforms>
    ...

As you can see, the preceding XML gives the default namespace the prefix ns1, which ultimately leads to validation failure. The additions are difficult to identify. One possible workaround is to make the XML namespace-aware and give every element in the XML a namespace prefix beforehand, so that XML parsers won't add such declarations on their own.

To achieve this you can add dsc.setDefaultNamespacePrefix("<neprefix>") to the snippet while applying the digital signature. Now the code becomes:

NodeList nodelist = doc.getElementsByTagNameNS(
   "<yourxmlnamespace>", <tagname>);
Node nn = nodelist.item(0);
 
DOMSignContext dsc = new DOMSignContext(objKeys.getPrivate(), nn);

//to insert Prefix to namespace of signature
dsc.setDefaultNamespacePrefix("dsig");

//where objKeys is KeyPair
XMLSignature signature = fac.newXMLSignature(si, ki); 

//where ki is key info an si is signed info
// Marshal, generate (and sign) the enveloped signature
signature.sign(dsc);
That code deliberately asks the API to add a default prefix to the signature while generating the DOM context, so that other XML operations don't add extra namespaces that can cause validation failure.

The XML will now look like:

<dsig:Signature xmlns:dsig=
  "http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
    <dsig:CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <dsig:SignatureMethod Algorithm=
      "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <dsig:Reference URI="#MsgId">
    <dsig:Transforms>
    ...
That solves the problem. The preceding XML works just fine.
Chandan khanna
 
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap